-
-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CURLOPT_CAINFO_BLOB feature + OpenSSL backend implementation #5664
Conversation
@@ -1971,6 +1971,10 @@ typedef enum { | |||
CURLOPT(CURLOPT_PROXY_ISSUERCERT, CURLOPTTYPE_STRINGPOINT, 296), | |||
CURLOPT(CURLOPT_PROXY_ISSUERCERT_BLOB, CURLOPTTYPE_BLOB, 297), | |||
|
|||
/* The CAinfo blob used to validate the peer certificate | |||
this option is used only if SSL_VERIFYPEER is true */ | |||
CURLOPT(CURLOPT_CAINFO_BLOB, CURLOPTTYPE_BLOB, 298), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adds a new option, but there's no documentation and no test case verifying it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point! Will do if necessary.
if(!ssl_cainfo_bio) | ||
return CURLE_SSL_CERTPROBLEM; | ||
while (cert = PEM_read_bio_X509(ssl_cainfo_bio, NULL, 0, NULL)) { | ||
X509_STORE_add_cert(SSL_CTX_get_cert_store(backend->ctx), cert); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It adds the cert to the store, right? Will repeated invokes re-using the same handle then readd the same cert again?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Judging from the code, this is done absolutely the same way and at the same point as importing the windows cert store, as well as loading certs from files/dirs. The SSL context is created afresh at the start of this function:
if(backend->ctx) SSL_CTX_free(backend->ctx); backend->ctx = SSL_CTX_new(req_method);
Is this the same feature as #4679 ? |
|
I cloned #4679 on #5677 with just rebasing on current master But I don't known which PR is better as base between 4679-5677 abd this 5664 |
Duplicate of #5677 |
This allows setting CAinfo bundle from memory.
This is an improved version of my old CABUNDLE/CABUNDLESIZE pull request.
I can also create an mbedTLS implementation if necessary.